Symmetric Cryptographic Intel FPGA Hard IP User Guide

ID 714305
Date 10/02/2023
Public
Document Table of Contents

5.3.5. MAC Dropping on Decryption

The Symmetric Cryptographic IP core support a feature to drop the 16 byte MAC tag on decryption request. The feature is available for MACsec only.

To enable this feature, set the decrypt_drop_mac_en parameter to 1. This feature is independent to ICV comparison feature where the ICV comparison result sent out to user is unaffected by this feature.

Table 31.  Egress Packet Example Exiting the AES/SM4 Inline Cryptographic Accelerator This table illustrates the Egress packet exiting the AES/SM4 Inline Cryptographic Accelerator with 16 byte MAC located at different 128 bits segment within the cycle. All the AXI-ST control signals such as tlast, tkeep, tuser_last_segment<N> are updated to reference the last byte of the payload and not the last byte of MAC.
Profile MACsec MACsec   MACsec   MACsec   MACsec
MAC_IV_tweak_en 0 1   1   1   1
data_en 1 0   1   1   1
next_packet_en 0 1   1   1   0
tlast 0 1   1   1   1
num_empty_bytes 0 64   48 to 63   32 to 63   16 to 63
DATA
data[127:0] AAD/Text MAC   AAD/Text   AAD/Text   AAD/Text
data[255:128] AAD/Text AAD/Text   MAC   AAD/Text   AAD/Text
data[391:256] AAD/Text AAD/Text   AAD/Text   MAC   AAD/Text
data[511:392] AAD/Text AAD/Text   AAD/Text   AAD/Text   MAC
Table 32.  Egress Packet Example within the Symmetric Cryptographic IP core This table illustrates the Symmetric Cryptographic IP core discarding the 16 byte MAC. All the AXI-ST control signals such as tlast, tkeep, tuser_last_segment<N> are updated to reference the last byte of the payload and not the last byte of MAC.
Profile MACsec MACsec   MACsec   MACsec   MACsec
tvalid 1 1   1   1   1
MAC_IV_tweak_en 0 1   1   1   1
data_en 1 0   1   1   1
next_packet_en 0 1   1   1   0
tlast 1 0   1   1   1
tkeep All 1's

1111_1111

1111_1111

1111_1111

1111_1111

1111_1111

1111_1111

0000_0000

0000_0000

 

1111_1111

1111_1111

1111_1111

1111_1111

0000_0000

0000_0000

1111_1111

1111_1111

 

1111_1111

1111_1111

0000_0000

0000_0000

1111_1111

1111_1111

1111_1111

1111_1111

 

0000_0000

0000_0000

1111_1111

1111_1111

1111_1111

1111_1111

1111_1111

1111_1111

tuser_last_segment0 0 0   1   0   0
tuser_last_segment1 0 0   0   1   0
tuser_last_segment2 0 0   0   0   1
tuser_last_segment3 1 0   0   0   0
DATA
data[127:0] AAD/Text IDLE   AAD/Text   AAD/Text   AAD/Text
data[255:128] AAD/Text AAD/Text   IDLE   AAD/Text   AAD/Text
data[391:256] AAD/Text AAD/Text   AAD/Text   IDLE   AAD/Text
data[511:392] AAD/Text AAD/Text   AAD/Text   AAD/Text   IDLE

If MAC is located in segment 0 and there is no subsequent packets in segment 1, 2, or 3, the tvalid signal deasserts since all segments are the IDLE bytes after the MAC dropping.